Mobile phone users sorely mistaken about how much privacy they have

Resounding "no" to data collection in theory, even if it's a "yes" in practice.

Despite their widespread acceptance of the increasingly liberal privacy policies of sites and services, the majority of American consumers don't, in fact, want their data collected, their activity tracked, or their usage analyzed. A new study from the Berkeley Center for Law and Technology asked 1,200 households several straightforward questions about what level of privacy they think they have when using a cell phone, and what information is and is not OK for companies to track and store. The majority thinks they have far more privacy than they do, and are unequivocally opposed to some of the most common forms of data collection.

"We found that Americans overwhelmingly consider information stored on their mobile phones to be private—at least as private as information stored on their home computers," states the study, which used information collected by both landline and wireless phones. Fifty-nine percent of all respondents ages 18 to 65 and beyond said their phones were "at least as private" as their home computers, and 19 thought their phones were more private than their home computers.

This is likely not the case, at least in terms of content that apps and sites consider accessible. Mobile phones often contain information like unique device identifiers, or entire address books' worth of information that can be accessed by apps with the right permissions. Respondents also think their phones are paying less attention than they really are: 56 percent said they visit websites with their phones, but only 37 percent said their phone stores information about websites they've visited.

It's not at all uncommon for websites browsed or apps used on a mobile phone to access, track, and store pieces of this information. It's all but the status quo, and usually neatly outlined by some privacy policy that the end user never reads. Google still scans all your e-mails; Facebook still catalogs your Likes and displays them conspicuously to your friends; a shopping website carefully notes the novelty Avengers t-shirt you were looking at when you navigated away, and its ad network makes sure to display that item in a sidebar or popover later.

Sometimes a company oversteps the subjective line of privacy violation, as when people learned Path was caching users' address books for seemingly no reason other than "it was there," and it receives some backlash. This is old news. Many mobile phone users are giving this data away for free and are diametrically opposed to its taking and tracking, but continue to use services that do it.

In one question, the study authors asked participants about two data collection scenarios. In the first, the authors asked if it would be OK for a social networking app to collect users' address books in order to suggest more friends. In the second, they asked if it would be all right if a "coupons app" collected the same information to offer coupons to the users' friends. In both cases, those surveyed answered overwhelmingly that they "definitely would not allow" the collection in either case: 51 percent for the friend suggestions, and 75 percent for the coupons. A further 30 percent and 15 percent, respectively, said they would "probably not allow" it.

This seems intuitive to us, as in both cases the user benefits little and potentially violates the privacy of friends. And yet, in the wake of the Path hullabaloo and a similar uproar over Facebook's use of address books, it turns out this type of data collection is not uncommon. Because the data collection on mobile phones is so passive—both difficult for companies to notify users about and difficult for users to notice—the users fail to get visibly upset about something that is, at least in theory, upsetting to them.

The study provides an interesting counter to the accounts of companies who collect this information. Google, for example, has cited the fact that the majority of people who visit their targeted ads settings page don't change anything on it as indication that people like, or at least don't mind, targeted ads. This type of metric doesn't scratch the same point-blank surface as the survey by Berkeley, which shows that users in general are flat-out uncomfortable with some types of data collection.

The authors point to an excerpt from I'm Feeling Lucky: Confessions of Google Employee Number 59, where workers dance around the issue of browser cookies the company wants to store on users' computers to collect information. Marissa Mayer, a vice president at Google, noted at the time that if the company both explained what cookies were and gave users the chance to opt out, everyone would opt out. Obviously, that didn't further Google's cookie aims. Mayer remained disturbed by the idea of automatic opt-in, but offered only that "a page" should "at least" explain the use of cookies and how to delete them.

"The gulf between private sector information demands and consumer preferences suggest that better disclosures and choice mechanisms alone will simply preserve the status quo," the study authors write. To close the gap between what users think they're selling and what companies are actually buying, data-wise, the authors say there need to be "incentives" to reduce the collection of information. More importantly, users need to have measures for intervening with data collection after the fact: if a user discovers a company holds data the user doesn't want them to have, the user should have the right to delete information associated with their account and be able to "exit whole."